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10 BACKGROUND OF THE INVENTION 

Field of the Invention 

The present invention is related to the field of networking. In particular, the present 
invention is related to a method and apparatus for monitoring encrypted communications 

15 in a network. 

Description of the Related Art 

Network security is a growing concern of organizations that employ networked 
computer systems. As a security measure, a corporation may wish to limit the 
communications between different groups of employees within the organization, or may 

20 desire to keep individuals from within the corporate structure from snooping in on the 
transmission of other employees within the corporation, or the corporation may wish to 
monitor the content of information that is transmitted between different employees within 
the corporate network. 
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key to decrypt the message. Thus, the private keys are not transmitted and are thereby 
secure. In this method too, a network monitoring element such as a network 
administrator will be unable to monitor the encrypted communications between two 
computers on the network as the network monitoring element is not in possession of the 
key that is needed to decrypt the data. The prior art fails to describe a method or an 
apparatus for monitoring encrypted communications in a network, by a network 
administrator or by a network element such as another computer that has the authority to 
do so. 
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BRIEF SUMMARY OF THE DRAWINGS 

Figure. 1 illustrates an embodiment of a prior art system wherein data is encrypted. 
Figure. 2 illustrates an embodiment of the disclosed invention using a policy server and a 
policy administrator to monitor encrypted communications in a network. 
5 Figure. 3 is a flow diagram illustrating an overview of an embodiment of the invention. 
Figure. 4 is a flow diagram of the communication process between network elements. 
Figure. 5 is a flow diagram illustrating details of an embodiment of the invention. 
Figure 6. illustrates a policy server comprising an embodiment of the invention. 
Figure 7. illustrates a network monitoring element comprising an embodiment of the 
10 invention. 
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DETAILED DESCRIPTION OF THE INVENTION 
Described is a method and apparatus for monitoring encrypted communications in a 
network. In particular, the invention describes a method and apparatus for monitoring 
encrypted communications in a network comprising establishing a network policy (NP) 
5 on a policy server, establishing a network monitoring digital contract (NMDC) between 
the policy server and a network monitoring element, establishing a network use digital 
contract (NUDC) between the policy server and a first network element, establishing a 
NUDC between the policy server and a second network element, and monitoring 
communications between the first network element and the second network element, by 

10 the network monitoring element, in accordance with the network policy, the network 
monitoring digital contract, and network use digital contracts. 

In the following description, numerous specific details are set forth in order to 
provide a thorough understanding of the present invention. It will be apparent, however, 
to one of ordinary skill in the art that the present invention may be practiced without 

15 these specific details. In other instances, well-known architectures, steps, and techniques 
have not been shown to avoid unnecessarily obscuring the present invention. For 
example, specific details are not provided as to whether the method is implemented in 
local area network (LAN), a wide area network (WAN), or across the Internet. Also, 
specific details are not provided as to whether the method is implemented as a software 

20 routine, hardware circuit, firmware, or a combination thereof. While the description that 
follows addresses the method as it applies to a Local Area Network (LAN) application, it 
is appreciated by those of ordinary skill in the art that the method is generally applicable 
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to any network application including, but not limited to, internetworks (Internet), 
Metropolitan Area Networks (MANs), and Wide Area Networks (WANs). 

In one embodiment, Figures 2 and 3 illustrate a network comprising a plurality of 
policy servers 201, a plurality of network monitoring elements 202, and network 
5 elements 203 and 204 (such as computers). At 300, a network policy (NP) is defined, 
distributed and administered by policy administrator 205. At 3 10 the policy 
administrator transmits the NP to each network element. A network element may only 
communicate with another network element in accordance with a particular 
communication rule defined in the NP. If two network elements are allowed to 

10 communicate with each other, the NP stipulates the type of encryption algorithm, 

authentication algorithm, the type of keys used for encryption and authentication, and the 
duration of time during which the keys are valid. The term network element as used here 
is generic and is to be construed to include any network element including computers, 
which may communicate with each other. 

15 In 320, once the NP has been transmitted to each network element, a network 

monitoring element 202 that desires to monitor the communication between network 
elements 203 and 204, obtains a network monitoring digital contract (NMDC) from the 
policy administrator 205. Although the description that follows is for a network 
administrator to monitor communication between network elements, any network 

20 element that possesses the required authorization as indicated in the NP may monitor the 
communications between network elements. In one embodiment the policy administrator 
205, and the network monitoring element 202, are physically located on the same device. 
In one embodiment, prior to issuing the NMDC, the policy administrator 205 
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authenticates the network administrator 202 by requesting from the network administrator 
its proof of identity. In one embodiment this proof of identity is a digital certificate. A 
digital certificate is the digital equivalent of an identity (ID) card used in conjunction 
with a public key encryption system. Digital certificates are well known in the art and 
are issued by third parties known as certification authorities (CAs) such as VeriSign, Inc., 
of Mountain View, CA. After receiving the digital certificate from the network 
administrator 202 and after authenticating the network administrator, the policy 
administrator 205 requests and receives from the network administrator 202 the network 
administrator's authorization, which in one embodiment is a legal corporate 
authorization. The network administrator's authorization or legal corporate authorization 
validates the network administrator's authority to monitor network communications as 
specified in the NP. The authorization, or legal corporate authorization comprises a 
digital signature. A digital signature is an electronic signature that is well known in the 
art. The policy administrator authenticates the network administrator's digital signature. 
On receiving and authenticating both, the digital certificate that authenticates the network 
administrator, as well as the digital signature that validates the network administrator's 
authority to monitor network communications, the policy administrator 205 issues the 
network monitoring element a NMDC. The NMDC includes the digital certificate of the 
policy administrator 205, the digital certificate of the network administrator 202, the 
digital signature of the network administrator 202, the digital signature of the policy 
administrator 205, the date, the time, and the content of the transaction. In one 
embodiment the content of the transaction includes the type of decrypting information to 
be transmitted, including the decrypting keys needed for decrypting the encrypted 
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communication between the communicating elements. The NMDC also includes the 
period during which the NMDC is valid. A copy of the NMDC is maintained on the 
policy administrator 205 prior to transmitting the NMDC to the network administrator 
202. On receipt of the NMDC, the network administrator maintains a copy for future use. 
5 The network administrator 202 transmits the NMDC to the policy administrator 

205 each time the network administrator desires monitoring the communications between 
network elements. The policy administrator 205 verifies the validity of the NMDC and 
issues the network administrator the information it needs to decrypt the communication 
between the elements it intends to monitor. The aforementioned validation process is 
p 10 performed each time the network administrator desires monitoring the encrypted 
CP communications because the decryption keys could be different for each set of 

N communicating elements. The network administrator has to renew its NMDC once the 

; * NMDC expires. The process to renew the NMDC is as explained above. 

^ In addition to the NMDC, at 330, a second digital contract called the network use 

H 1 5 digital contract (NUDC) is established between each network element and the policy 
Q administrator 205. In particular, each network element registers itself with the policy 

administrator 205 as one of the policy server's clients and agrees to be bound by the rules 
in the NP and the NUDC. The NUDC includes the digital certificate of the registering 
network element 203, the digital certificate of the policy administrator 205, the digital 
20 signature of the policy server, the digital signature of the network element, the date, the 
time, the content of the transaction, and the period during which the NUDC is valid. In 
one embodiment a copy of the NUDC is maintained on the policy server and on the 
network element. The NUDC is valid as long as the network element follows the rules 
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established by the NP and the NUDC. In one embodiment, if the network element 
chooses not to follow the established rules, a record of the infraction is maintained in its 
encryption and authentication log, a copy of the infraction is sent to the policy 
administrator, and the network element will not be able to communicate with other 
5 network elements on the network. In one embodiment, the content of the transaction in 
the NUDC includes establishing the authority for the policy administrator 205 to secretly 
access the encryption and authentication log and obtain the decryption information stored 
on the network element. Establishment of such authority may be performed using any 
one of a number of authorization techniques known in the art. 
O 10 Referring to figure 4, after the NP, the NMDC and the NUDC are in place, at 400 

£T: a network element 203 desires to communicate with another network element 204, at 410 

N network element 203 looks up the NP it received from the policy administrator 205 to 

; J: determine if it has the authority to communicate with network element 204. If the 

^ authority to communicate exists, at 420, network element 203 determines whether to 

1^ 15 communicate with network element 204 using the encryption and authentication rules of 
p the NP or its own encryption and authentication algorithm. At 430, network element 203 

having decided to use its own encryption and authentication algorithm, logs the details of 
the encryption and authentication algorithms including any keys needed to decrypt the 
communications between network elements 203 and 204. In one embodiment, the logs 
20 stored on network element 203 are stored in an encrypted format. At 440, network 

element 203 after logging the encryption and authentication algorithm it intends using, 
including the decrypting keys, communicates with network element 204 in an encrypted 
format. At 450, network element 203 logs the encryption and authentication algorithm 
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including the decrypting keys as specified by the NP. In one embodiment, the logs stored 
on the policy server are in an encrypted format. At 460, network element 203 uses the 
encryption and authenticating algorithm logged and communicates with network element 
204. 

5 Referring to figure 5, the process by which network administrator 202 monitors 

encrypted communications between network elements 203 and 204 will now be 
described. At 581, the NMDC and the NUDC have been established. At 500, network 
administrator 202 decides to monitor the communications between network elements 203 
and 204. At 510, the policy administrator 205 receives the NMDC from the network 

10 administrator 202. At 520, the policy administrator 205 authenticates the NMDC. After 
determining that the NMDC is valid, at 540 the policy administrator determines whether 
it has the decrypting information in its own log. In one embodiment, decrypting 
information includes decrypting keys for decrypting the encrypted communications 
between the network elements. If the policy administrator has the decrypting 

15 information, at 560 the policy administrator transmits the decrypting information to 
network administrator 202. At 590, the network administrator uses the decrypting 
information obtained from the policy administrator to decrypt the encrypted 
communications between network elements 203 and 204. At 550, if policy administrator 
does not have the decrypting information in its log, it obtains the decrypting information 

20 from the log on network elements 203 or 204 and transmits the decrypting information to 
the network administrator 202. In another embodiment, at 580, policy administrator 202 
decrypts the communication between network elements 203 and 204 and transmits the 
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information to network administrator 202. This transfer of information is done via a 
secure link between the policy administrator 205 and the network administrator 202. 

Figure 6 illustrates an apparatus of an embodiment of the invention. In particular, 
figure 6 illustrates a policy server in which an embodiment of the invention is employed. 
5 The apparatus comprises a receiver 600 to receive an NMDC from a network monitoring 
element and to receive a request for decrypting communications between network 
elements. Communicatively coupled to the receiver is a microprocessor 610 with a 
memory 620. The microprocessor 610 authenticates the NMDC and retrieves decrypting 
information either from memory 620 or from network elements. Communicatively 
rt 10 coupled to the microprocessor 610 is a transmitter 630 for transmitting the initial copy of 
y! the NMDC to the network monitoring element, for transmitting a copy of the NUDC to a 

y network element, and for transmitting decrypting information, including decrypting keys 

I ^ that are used by the network monitoring element to decrypt the encrypted 

^ communications between network elements. In one embodiment the microprocessor 

p a 15 reads the logs containing the decrypting information on a network element, and obtains 
r; the decrypting keys, decrypts the communication between network elements and the 

transmitter transmits the decrypted communications to the network monitoring element. 

Figure 7 illustrates an apparatus of an embodiment of the invention. In particular, 
figure 7 illustrates a network monitoring element in which an embodiment of the 
20 invention is employed. The apparatus comprises a receiver 700 to initially receive the 
NMDC from the policy administrator, and to subsequently receive decrypting 
information, including decrypting keys to decrypt the encrypted communication it 
receives between network elements. In one embodiment the receiver 700 receives the 
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